I answered part of my question here: http://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx
Is this replicable "service name" a Microsoft specific implementation, or is their an equivalent concept for MIT KDCs? On Wed, May 14, 2014 at 1:39 PM, Ben H <[email protected]> wrote: > Right now I'm experiencing this on my windows client connected to a > Windows KDC, but have experienced it before on MIT clients - but am not > seeing it now, and not sure how to recreate it.... > > A Windows KDC (DC) registers many SPN records, among them: > > ldap/SERVER/DOMAIN > ldap/{GUID}._msdcs.domain.local > ldap/SERVER.domain.local/DOMAIN > ldap/SERVER > ldap/SERVER.domain.local > ldap/SERVER.domain.local/domain.local > > I am currently seeing tickets on my client for both: > > ldap/SERVER.domain.local/domain.local @ DOMAIN.LOCAL > and > ldap/SERVER.domain.local @ DOMAIN.LOCAL > > I'm trying mostly to understand the syntax/terms to use in researching > both what these multi-part SPNs are for (with the "/") as well as under > what circumstances one would be chosen over the other. I'm under the > impression that the application is going to decide what SPN to query and if > that's the case, then it is simply Microsoft choosing in some cases to use > one over the other (seems pointless and redundant) - but as I've mentioned > I am 95% sure I've seen these on my MIT clients in the past. > > Can someone provide any insight into what these non-standard multi-part > SPNs are for and if they are acceptable in MITkerb? > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
